Skip to main content

Internal names

Related warning

"The certificate's Common Name or Subject Alternative Names contain an internal name."

Problem

Industry standards prohibit Certificate Authorities (CAs) from issuing certificates to internal names (see SSL Certificates for Internal Server Names). An internal name is an IP address or domain that is part of a private network (see RFC 2606). We can't validate internal names because they can't be externally verified.

Examples of internal names

  • Server names with any of these non-public domain suffixes:

    • .test

    • .example

    • .invalid

    • .localhost

    • .local

    • .internal

  • Anything without a public domain such as NetBIOS names or short hostnames. For example, Web1, ExchCAS1, or Frodo.

  • Any IPv4 address in the RFC 1918 range.

  • Any IPv6 address in the RFC 4193 range.

Additionally, non-unique internal names carry too much potential for malicious misuse. For example, a CA can issue a publicly-trusted certificate to a company for https://mail/. Because this name is not a unique name, anyone else can get a certificate for https://mail/.

Solution

If you are a server administrator using internal names, you need to either reconfigure those servers to use a public name or switch to a certificate issued by an internal Certificate Authority. All internal connections that require a publicly trusted certificate must be done through names that are public and verifiable (it doesn't matter if those services are publicly accessible).

Depending on the applications in your environment, you may be able to reconfigure the application to not require internal names.